#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
#
# Module Tproxy Ubuntu 14.04 lts
# ======================================================================
modprobe xt_TPROXY
modprobe xt_socket
modprobe xt_mark
modprobe nf_nat
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
modprobe nf_defrag_ipv4
modprobe ipt_REDIRECT
modprobe iptable_nat

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

iptables -t mangle -F
iptables -t mangle -X

# IPTABLES Tproxy
# ======================================================================
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A INPUT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -d 192.168.10.251/32 -p tcp -m multiport --dports 80,443,3127,3128,3129,8000,8080 -j ACCEPT
iptables -t mangle -A PREROUTING ! -d 192.168.10.251/32 -s 192.168.0.0/16 -p tcp -m multiport --dports 80,8080,8000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
iptables -t mangle -A PREROUTING ! -d 192.168.10.251/32 -s 192.168.0.0/16 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

# EBTABLES bridge mode interface ubuntu 14.04 lts
# ======================================================================
#local: ganti eth-local sesuai topologi (contoh: eth0 atau eth1)
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 443 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 8000 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 8080 -j redirect --redirect-target ACCEPT

#public: ganti eth-public sesuai topologi (contoh: eth0 atau eth1)
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-sport 443 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-sport 8000 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-sport 8080 -j redirect --redirect-target ACCEPT

cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i

ulimit -HSn 65536
echo "root 	soft 	nofile 		65536" >> /etc/security/limits.conf
echo "root 	hard 	nofile 		65536" >> /etc/security/limits.conf

exit 0
